Hi Mike,

All the security pages you refer to are manually authored. What it means is
that someone took the time to create these pages for those components at
some point in the past. It does not mean the pages are complete, up to
date, or that components that have CVEs actually have pages. This is
obviously a pain point that would be nice to automate.

Gary


On Mon, Aug 28, 2023, 8:04 PM Mike Drob <md...@apache.org> wrote:

> Hello commons-dev!
>
> I found the very lovely https://commons.apache.org/security.html page and
> I very much appreciate the links out to individual project's security
> pages. However, it looks like a little under half (9/21) have security
> pages linked.
>
> Does this mean that the other 12 projects have never had a security
> vulnerability reported? Reported but rejected? Reported and triaged in
> other ways - e.g. patched but not assigned a CVE?
>
> Any insight into the practices of the community is appreciated!
>
> Thanks,
> Mike
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>

Reply via email to